Hi all,One of my co-workers and I do web development on the side (independently, for the most part), and we double-check each other's work from a pseudo-pentesting standpoint. (The mandatory "I have permission and it's not that I'm up to no good" introduction!)

Anyway, he has set up a few very basic directories (simple html site), but what is perplexing me is this:

domain.com/main/index.html is the landing page for "domain.com", and it appears with the full path in the address bar.domain.com/main/contact.html, etc are the rest of the "public" pages

domain.com/members is protected with .htpasswd, and is basically the same as the main directorydomain.com/members/index.htmldomain.com/members/content.htmletc..

However:"domain.com/terms-of-service" doesn't have a file extension. When I tried various extensions, it got even stranger:.html shows the correct page, while .htm, .cfm, .asp/x, etc all result in a 404 error...

But...domain.com/terms-of-service.php" results in a blank white page with "No input file specified", and the URL in the TITLE area.

I tried a few basic GET parameters, but don't seem to be getting anywhere. It would appear that there are two copies of the same file: a PHP version and an HTML version. The rest of the site is in HTML, so it doesn't make sense that he'd have PHP for the TOS and privacy policy... unless he made them .php out of habit lol

I'm still trying to wrap my head around this before I see him Monday and have to admit defeat... any thoughts? Do you think this could pose a weakness?

FYI .htpasswd is very insecure and easily brute forced in most cases with minimal effort unless your passwords are extravigantly long. (Check out the THCHydra program and you'll see what I mean... )

That being said, definitely (unless he knows what you're up to and decided to throw you a curveball on purpose). I'd look for anything that mentions the TOS in the regular web site with any hint on whatever input it's looking for.

All knowledge is good; only the way it is put into action can be good or evil. - An ape from the original Planet of the Apes

I'm guessing that the TOS defaults to .html, so when you exclude the extension it works. Adding the extension makes no difference. Adding .php calls a different file which is expecting params. The default page is probably defined in a .htaccess file.